5
CVSSv2

CVE-2016-6794

Published: 10/08/2017 Updated: 05/10/2020
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 5.3 | Impact Score: 1.4 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Summary

When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache tomcat 6.0.0

apache tomcat 6.0.1

apache tomcat 6.0.2

apache tomcat 6.0.3

apache tomcat 6.0.4

apache tomcat 6.0.5

apache tomcat 6.0.6

apache tomcat 6.0.7

apache tomcat 6.0.8

apache tomcat 6.0.9

apache tomcat 6.0.10

apache tomcat 6.0.11

apache tomcat 6.0.12

apache tomcat 6.0.13

apache tomcat 6.0.14

apache tomcat 6.0.15

apache tomcat 6.0.16

apache tomcat 6.0.17

apache tomcat 6.0.18

apache tomcat 6.0.19

apache tomcat 6.0.20

apache tomcat 6.0.21

apache tomcat 6.0.22

apache tomcat 6.0.23

apache tomcat 6.0.24

apache tomcat 6.0.25

apache tomcat 6.0.26

apache tomcat 6.0.27

apache tomcat 6.0.28

apache tomcat 6.0.29

apache tomcat 6.0.30

apache tomcat 6.0.31

apache tomcat 6.0.32

apache tomcat 6.0.33

apache tomcat 6.0.34

apache tomcat 6.0.35

apache tomcat 6.0.36

apache tomcat 6.0.37

apache tomcat 6.0.38

apache tomcat 6.0.39

apache tomcat 6.0.40

apache tomcat 6.0.41

apache tomcat 6.0.42

apache tomcat 6.0.43

apache tomcat 6.0.44

apache tomcat 6.0.45

apache tomcat 7.0.0

apache tomcat 7.0.1

apache tomcat 7.0.2

apache tomcat 7.0.3

apache tomcat 7.0.4

apache tomcat 7.0.5

apache tomcat 7.0.6

apache tomcat 7.0.7

apache tomcat 7.0.8

apache tomcat 7.0.9

apache tomcat 7.0.10

apache tomcat 7.0.11

apache tomcat 7.0.12

apache tomcat 7.0.13

apache tomcat 7.0.14

apache tomcat 7.0.15

apache tomcat 7.0.16

apache tomcat 7.0.17

apache tomcat 7.0.18

apache tomcat 7.0.19

apache tomcat 7.0.20

apache tomcat 7.0.21

apache tomcat 7.0.22

apache tomcat 7.0.23

apache tomcat 7.0.24

apache tomcat 7.0.25

apache tomcat 7.0.26

apache tomcat 7.0.27

apache tomcat 7.0.28

apache tomcat 7.0.29

apache tomcat 7.0.30

apache tomcat 7.0.31

apache tomcat 7.0.32

apache tomcat 7.0.33

apache tomcat 7.0.34

apache tomcat 7.0.35

apache tomcat 7.0.36

apache tomcat 7.0.37

apache tomcat 7.0.38

apache tomcat 7.0.39

apache tomcat 7.0.40

apache tomcat 7.0.41

apache tomcat 7.0.42

apache tomcat 7.0.43

apache tomcat 7.0.44

apache tomcat 7.0.45

apache tomcat 7.0.46

apache tomcat 7.0.47

apache tomcat 7.0.48

apache tomcat 7.0.49

apache tomcat 7.0.50

apache tomcat 7.0.52

apache tomcat 7.0.53

apache tomcat 7.0.54

apache tomcat 7.0.55

apache tomcat 7.0.56

apache tomcat 7.0.57

apache tomcat 7.0.58

apache tomcat 7.0.59

apache tomcat 7.0.60

apache tomcat 7.0.61

apache tomcat 7.0.62

apache tomcat 7.0.63

apache tomcat 7.0.64

apache tomcat 7.0.65

apache tomcat 7.0.66

apache tomcat 7.0.67

apache tomcat 7.0.68

apache tomcat 7.0.69

apache tomcat 7.0.70

apache tomcat 8.0

apache tomcat 8.0.0

apache tomcat 8.0.1

apache tomcat 8.0.2

apache tomcat 8.0.3

apache tomcat 8.0.4

apache tomcat 8.0.5

apache tomcat 8.0.6

apache tomcat 8.0.7

apache tomcat 8.0.8

apache tomcat 8.0.9

apache tomcat 8.0.10

apache tomcat 8.0.11

apache tomcat 8.0.12

apache tomcat 8.0.13

apache tomcat 8.0.14

apache tomcat 8.0.15

apache tomcat 8.0.16

apache tomcat 8.0.17

apache tomcat 8.0.18

apache tomcat 8.0.19

apache tomcat 8.0.20

apache tomcat 8.0.21

apache tomcat 8.0.22

apache tomcat 8.0.23

apache tomcat 8.0.24

apache tomcat 8.0.25

apache tomcat 8.0.26

apache tomcat 8.0.27

apache tomcat 8.0.28

apache tomcat 8.0.29

apache tomcat 8.0.30

apache tomcat 8.0.31

apache tomcat 8.0.32

apache tomcat 8.0.33

apache tomcat 8.0.34

apache tomcat 8.0.35

apache tomcat 8.0.36

apache tomcat 8.5.0

apache tomcat 8.5.1

apache tomcat 8.5.2

apache tomcat 8.5.3

apache tomcat 8.5.4

apache tomcat 9.0.0

Vendor Advisories

Synopsis Important: Red Hat JBoss Web Server security and enhancement update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Web ServerRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System ...
It was discovered that when a SecurityManager was configured, Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible ...
Multiple security vulnerabilities have been discovered in the Tomcat servlet and JSP engine, which may result in possible timing attacks to determine valid user names, bypass of the SecurityManager, disclosure of system properties, unrestricted access to global resources, arbitrary file overwrites, and potentially escalation of privileges For the ...
Debian Bug report logs - #840685 TOCTOU race condition in initscript on chown'ing JVM_TMP temporary directory Package: src:tomcat8; Maintainer for src:tomcat8 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Paul Szabo <paulszabo@sydneyeduau> Date: Thu, 13 Oct 2016 20:30:02 UT ...
Debian Bug report logs - #842663 CVE-2016-5018: Apache Tomcat Security Manager Bypass Package: tomcat7; Maintainer for tomcat7 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for tomcat7 is src:tomcat7 (PTS, buildd, popcon) Reported by: Guido Günther <agx@sigxcpuorg> Date: Mon, 31 ...
Debian Bug report logs - #842664 CVE-2016-6794: Apache Tomcat System Property Disclosure Package: tomcat7; Maintainer for tomcat7 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for tomcat7 is src:tomcat7 (PTS, buildd, popcon) Reported by: Guido Günther <agx@sigxcpuorg> Date: Mon, ...
Debian Bug report logs - #842666 CVE-2016-6797: Apache Tomcat Unrestricted Access to Global Resources Package: tomcat7; Maintainer for tomcat7 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for tomcat7 is src:tomcat7 (PTS, buildd, popcon) Reported by: Guido Günther <agx@sigxcpuorg> ...
Debian Bug report logs - #842665 CVE-2016-6796: Apache Tomcat Security Manager Bypass Package: tomcat7; Maintainer for tomcat7 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for tomcat7 is src:tomcat7 (PTS, buildd, popcon) Reported by: Guido Günther <agx@sigxcpuorg> Date: Mon, 31 ...
Debian Bug report logs - #842662 CVE-2016-0762: Apache Tomcat Realm Timing Attack Package: tomcat7; Maintainer for tomcat7 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for tomcat7 is src:tomcat7 (PTS, buildd, popcon) Reported by: Guido Günther <agx@sigxcpuorg> Date: Mon, 31 Oct ...
USN-3177-1 introduced a regression in Tomcat ...
It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges (CVE-2016-6325 ) A malicious web application was able to bypass a config ...
Several security issues were fixed in Tomcat ...
Oracle Linux Bulletin - July 2017 Description The Oracle Linux Bulletin lists all CVEs that had been resolved and announced in Oracle Linux Security Advisories (ELSA) in the last one month prior to the release of the bulletin Oracle Linux Bulletins are published on the same day as Oracle Critical Patch Updates are released ...
Oracle Solaris Third Party Bulletin - October 2016 Description The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Up ...
Oracle Critical Patch Update Advisory - April 2017 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory Thus ...

Github Repositories

Course Project @ CS578, Fall 2019, USC

578-is-great This is a course project based on ARCADE and Tomcat in CS 578 Software Architecture Instructor & TA: Nenad Medvidovic, Adriana Sejfia Authors: Junhao Wang, Han Hu, Hopong Ng (names not listed in order) Contact Us: junhaowanggg@gmailcom Reference: listed in each section if needed Table of Contents: 578-is-great Project Description Summary of What We Did

References

CWE-200http://rhn.redhat.com/errata/RHSA-2017-0457.htmlhttp://www.debian.org/security/2016/dsa-3720http://www.securityfocus.com/bid/93943http://www.securitytracker.com/id/1037143https://access.redhat.com/errata/RHSA-2017:0455https://access.redhat.com/errata/RHSA-2017:0456https://access.redhat.com/errata/RHSA-2017:2247https://lists.apache.org/thread.html/09d2f2c65ac4ff5da42f15dc2b0f78b655e50f1a42e8a9784134a9eb@%3Cannounce.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3Ehttps://security.netapp.com/advisory/ntap-20180605-0001/https://usn.ubuntu.com/4557-1/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2016-6794http://tools.cisco.com/security/center/viewAlert.x?alertId=49526https://nvd.nist.govhttps://github.com/junhaowww/578-is-greathttps://usn.ubuntu.com/3177-2/